• No results found

Application of cube attack to block and stream ciphers

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Application of cube attack to block and stream ciphers"

Copied!
35
0
0

Loading.... (view fulltext now)

Download now ( 35 Page )

Full text

(1)

Application of cube attack to block and stream ciphers

Janusz Szmidt

joint work with Piotr Mroczkowski Military University of Technology Military Telecommunication Institute

Poland

23 czerwca 2009

(2)

1. Papers

Itai Dinur and Adi Shamir, Cube Attacks on

Tweakable Black Box Polynomials, Eurocrypt, 2009.

S. S. Bedi and R. Pillai, Cube attacks on Trivium, IACR Cryptology ePrint Archive, 2009/15.

J-P. Aumasson, W. Meier, I. Dinur, A. Shamir, Cube testers and key recovery attacks on reduced round MD6 and Trivium, Fast Software Encryption, 2009.

I. Dinur, A. Shamir, Side channel cube attacks on block ciphers, IACR Cryptology ePrint Archive, 2009/127.

J. Lathrop, Cube Attacks on Cryptographic Hash Functions, Master’s Thesis, Rochester Institte of Technology, 2009.

(3)

Paper

Miachael Vielhaber, Breaking One.Fivium by AIDA an Algebraic IV Differential Attack, IACR Cryptology ePrint Archive, 2007.

(4)

2. The structure of attack

Let us consider cryptosystem described by the polynomial:

p(v1, . . . ,vm,x1, . . . ,xn)

depending on m public variables v1, . . . ,vm (the initial value or plaintext) and on n secret variables x1, . . . ,xn (the key).

The value of the polynomial represents the ciphertext bit.

In general, the polynomial p is not explicitelly known; it can be a black box.

We will consider the known plaintext attack, where at the preprocessing stage the attacker has also an access to secret variables (initial values or keys).

(5)

3. The structure of attack, cont.

1 The preprocessing stage. The attacker can change the values of public and secret variables. The task is to obtain a system of linear equations on secret variables.

2 The stage on line of the attack. The key is secret now. The attacker can change the values of public variables. He adds the output bits, where the inputs run over some multi-dimennsional cubes. The task is to obtain the right hand sides of linear equations. The system of linear equation can be solved giving some bits of the key.

(6)

4. Mathematical background

For a moment we shall not distinguish the secret and public variables.

Let p be a polynomial of n variables x1, . . . ,xn over the field GF (2).

For a subset of indexes I = {i1, . . . ,ik} ⊆ {1, . . . ,n} let us take a monomial

tI = xi1. . .xik Then we have a decomposition

p(x1, . . . ,xn) = tI · pS(I )+ q(x1, . . . ,xn) where the polynomial pS(I ) does not depend on the variables x x .

(7)

5. Example 1

Let us consider a polynomial p of degree 3 depending on 5 variables:

p(x1,x2,x3,x4,x5) = x1x2x3+ x1x2x4+ x2x4x5+ x1x2+ x3x5+ x2 + x5 = 1

Let I = {1.2} be a chosen subset of indexes.

Then the polynomial p can be decomposed as:

p(x1,x2,x3,x4,x5) = x1x2(x3+ x4+ 1)+

(x2x4x5+ x3x5+ x2+ x5+ 1)

(8)

6. Example 1, cont.

Using the introduced above notation:

tI = x1x2, pS(I ) = x3+ x4+ 1,

q(x1,x2,x3,x4,x5) = x2x4x5+ x3x5+ x2+ x5+ 1

(9)

7. Definition 1

The maxterm of the polynomial p we call the monomial tI, such that

deg(pS(I )) = 1,

it means that the polynomial pS(I ) corresponding to the subset of indexes I is a linear one, which is not a constant.

(10)

8. Summation over cubes

Let I = {i1, . . . ,ik} ⊂ {1, . . . ,n} be a fixed subset of k indexes.

The set I defines the k-dimensional boolean cube CI, where on the place of each of the indexes we put 0 or 1.

A given vector v ∈ CI defines the derived polynomoal pv

depending on n − k variables, where in the basic polynomoal p we put the values corresponding to the vector v .

Summing over all vectors in the cube CI we obtain the polynomial:

pI = X

v ∈CI

pv

(11)

9. Theorem 1

Let p be a polynomial over the field GF (2) and I ⊂ {1, . . . ,n}

the index subset. Then we have :

pI = pS(I ) mod 2

(12)

10. Example 2

Let us consider a polynomial:

p(v1,v2,v3,x1,x2,x3) = v1v2v3+ v1v2x1+ v1v3x1+ v2v3x1+ v1v2x3+v1v3x2+v2v3x2+v1v3x3+v1x1x3+v3x2x3+x1x2x3+

v1v2+ v1x3 + v3x1+ x1x2+ x2x3+ x2+ v1+ v3+ 1 of degree d = 3 depending on public variables v1,v2,v3

and secret variables x1,x2,x3.

Substituting on public variables the values 0/1 we get the eight derived polynomials.

(13)

11. Example 2, cont.

p(0,0,0,x1,x2,x3) = x1x2x3+ x1x2+ x2x3+ x2+ 1 p(0,0,1,x1,x2,x3) = x1x2x3+ x1x2+ x1+ x2 p(0,1,0,x1,x2,x3) = x1x2x3+ x1x2+ x2x3+ x2+ 1

p(0,1,1,x1,x2,x3) = x1x2x3+ x1x2

p(1,0,0,x1,x2,x3) = x1x2x3+ x1x2+ x1x3+ x2x3+ x2+ x3 p(1,0,1,x1,x2,x3) = x1x2x3+ x1x2+ x1x3+ 1

p(1,1,0,x1,x2,x3) = x1x2x3+ x1x2+ x1x3+ x2x3+ x1+ x2+ 1 p(1,1,1,x1,x2,x3) = x1x2x3+ x1x2+ x1x3+ x2+ x3+ 1

(14)

12. Example 2, cont.

Summing the four derived polynomials with v1 = 0 we get x1+ x2,

Summing the four derived polynomials with v2 = 0 we get x1+ x2+ x3,

Summing the four derived polynomials with v3 = 0 we get x1+ x3+ 1.

The obtained expressions lead to a system of linear equations used in the stage on line of the attack.

(15)

13. The preprocessing stage

1 The first task is to fix dimension of the cube and the public variables over which we will sum; they are called the tweakable variables, and the other public variables are put to zero. In the case we know the degree d of the basic polynomial, we put the cube dimension to d − 1.

2 We do the summation over a fixed cube for several values of secret variables and collect the obtained values.

3 We do the linear tests for the obtained function of secret variables and store it when it is linear:

f(x ⊕ x0) = f (x) ⊕ f (x0) ⊕ f (0),

where x = (x1, . . . ,xn) are secret variables (the key).

(16)

14. The preprocessing stage, cont.

The next task is to calculate the exact form (the coefficients) of the obtained linear function of secret variables.

The free term of the linear function we obtan putting its all argument equal zero.

The coefficient of the variable xi is equal 1 if and only if the change of this variable implies the change of values of the function.

The coefficient of the variable xi is equal 0 if and only if the change of this variable does not imply the change of values of the function.

(17)

15. The preprocessing stage, cont.

The task of this stage of attack is to collect possible many independent linear terms - they constitute the system of linear equations on secret variables.

This system of linear equations will be used in the on line stage of attack.

The preprocessing stage is done only once in cryptanalysis of the algorithm.

(18)

16. The stage on line of attack

Now an attacker has the access only to public variables (thr plaintext for block ciphers, the initial values for stream ciphers), which he can change and calculates the corresponding bits of the ciphertext under the unknown value of secret variables.

The task of this stage of attack is to find some bits of secret key with complexity, which would be lower than the exhuastive search in the brute force attack.

The attacker uses the derived system of linear equations for secret variables (the unknown bits of the key), where the right hand sides of these equations are the values of bits of ciphertext obtained after summation over the same cubes as in the preprocessing stage, but now the key is not known.

(19)

17. The stage on line of attack, cont.

The cube attach is applicable to symmetric ciphers for which the polynomials descibing the system have relatively low degree.

Then one can eventually find some bits of unknown key.

The remaining bits of the key may be found by brute force search.

After successful preprocwssing stage, the stage on line of attack can be done many times for different unknown keys The cube attack is applicable, in general, to

cryptosystems without knowing their inner structure. The attacker must have the possibility to realize the

preprocessing stage and in the on line stage an access to the implementation of the algorithm (to perform the

(20)

18. CTC - Courtois Toy Cipher

Specification

CTC was designed by Nicolais Courtois to apply and test the methods of algebraic analysis.

It is a SPN network which is scalable in the number of rounds, the block and key size.

Each round performs the same operation on the input data, except that a different round key is added each time. The number of rounds is denoted by Nr. The output of round i − 1 is the input to round i .

Each round consists of parallel applications of B S-boxes (S), the application of the linear diffusion layer (D), and a final key addition of the round key. The round key K0 is added to the plaitext block before the first round.

(21)

19. CTC overviev for B = 10

(22)

20. CTC - Courtois Toy Cipher

Specyfication, cont.

The plaintext bits p0. . .pBs−1 are identified with Z0

,0. . .Z0,Bs−1 and the ciphertext bits c0. . .cBs−1 are identified with XNr+1,0. . .XNr+1,Bs−1 to have an uniform notation.

The S-box was chosen as the permutation [7,6,0,4,2,5,1,3]

It has 23 = 8 inputs and 8 outputs. The output bits are quadratic boolean functions of the input bits. The explicit form of these functions is not used in cube attack.

(23)

21. CTC - Courtois Toy Cipher

Specyfication, cont.

The diffusion layer (D) is defined as Zi,257modBs = Yi,0

for all i = 1. . .Nr,

Zi,(1987j+257)modBs = Yi,j + Yi,(j+137)modBs

for j 6= 0 and all i , where Yi,j represents input bots and Zi,j represents output bits.

(24)

22. CTC - Courtois Toy Cipher

Specyfication, cont.

The key schedule is a simple permutation of bits:

Ki,j = K0,(i +j)modBs

for all i and j, where K0 is the main key.

Key addition is performed bit-wise:

Xi+1,j = Zi,j + Ki,j

for all i = 1. . .Nr and j = 1. . .Bs− 1, where Zi,j

represents output bits of the previous diffusion layer, Xi+1,j the input bits of the next round, and Ki,j the bits of the current round key.

(25)

23. Cube attack on CTC

We have applied the cube attack to the version of CTC with four rounds and B = 40 of S-boxes, i.e. the block and the key sizes being 120 bits.

In the preprocessing stage we have done the summation over 50000 randomly chosen four dimensional cubes taken from the plaintext (other bits of the plaintext are put to zero). Then 757 boxes lead to linear expresions

(maxterms) for bits of the key. For derivation of each linear expresion we used 5000 linear tests. We have chosen 120 linearly independent maxterms. They give the solvable system of linear equation for bits of the key.

(26)

24. The linear equations

The equation Cube indexes 1+x66+x68 = c66 {4,5,22,52}

x27+x28 = c105 {1,60,62,90}

1+x58 = c18 {16,17,60,110}

1+x14 = c80 {29,38,61,106}

1+x54+x56 = c36 {41,55,64,115}

1+x115+x116 = c66 {5,10,22,89}

1+x43 = c11 {73,74,75,118}

x69+x70 = c28 {48,68,77,110}

1+x25 = c70 {73,76,93,104}

x78+x79 = c114 {10,39,70,118}

There are together 120 linearly independent such equations for the bits x x of the key; c c are output bits.

(27)

25. Cube attack on CTC, cont.

In the on line stage of the attack we need to sum over 120 chosen cubes (the key is unknown) to find the right hand sides of the linear equations.

The complexity of the attack here is about 27· 24 = 211 encryptions of the four round CTC to recover the full 120-bit key.

In fact, this reduced round cipher is described by a system of linear equations.

Probably, for biger number of rounds, it is impossible to find such a description.

(28)

26.The stream cipher Trivium

The specification of algorithm

Algorithm Trivium (the authors: C. de Canniere and B.

Preneel ) is one of the finalists of eSTREAM competitions.

The basic parameters are the 80-bit key and the 80-bit initial value.

The inner state of Trivium are 288 bits loaded to three nonlinear registers of different lengths.

In each round of the algorithm the registers are shifted on one bit.

The feedback in each register is given by a nonlinear function.

(29)

27. The specification of Trivium

(s1,s2, . . . ,s93) ← (k1,k2, . . . ,k80,0, . . . ,0) (s94,s95, . . . ,s177) ← (IV1,IV2, . . . ,IV80,0, . . . ,0)

(s178,s179, . . . ,s288) ← (0,0, . . . ,0,1,1,1) for i = 1 to 1152

t1 ← s66+ s93 t2 ← s162+ s177 t3 ← s243+ s288 t1 ← t1+ s91· s92+ s171 t2 ← t2 + s175· s176+ s264

t ← t + s · s + s

(30)

28. The specification of Trivium, cont.

(s1,s2, . . . ,s93) ← (t3,s1, . . . ,s92) (s94,s95, . . . ,s177) ← (t1,s94, . . . ,s176) (s178,s179, . . . ,s288) ← (t2,s178, . . . ,s287) end for

(31)

29. The specification of Trivium, cont.

The generation of the ouput btstring (zi) of the maximal length up to N = 264 bits, can be represented as:

for i=1 to N

t1 ← s66+ s93 t2 ← s162+ s177

t3 ← s243+ s288 zi ← t1+ t2 + t3 t1 ← t1 + s91· s92+ s171 t2 ← t2+ s175· s176+ s264

t3 ← t3+ s286· s287+ s69

(32)

30. The specification of Trivium, cont.

(s1,s2, . . . ,s93) ← (t3,s1, . . . ,s92) (s94,s95, . . . ,s177) ← (t1,s94, . . . ,s176) (s178,s179, . . . ,s288) ← (t2,s178, . . . ,s287) end for

(33)

31. The cube attack on Trivium

Dinur and Shamir investigated the reduced version of Trivium which contains 672 (instead of 1152)

initialization rounds.

During the preprocessing stage they obtained 63 linearly independent maxterms corresponding to 12-dimensional cubes and output bits of the indices from 672 to 685.

(34)

32. The cube attack on Trivium, cont.

In the on line stage the attacker must find the values of the maxterms summing over 63 12-dimensional cubes.

After solving the system of linear equations the attacker obtains 63 bits of the key and the remaining 17 bits of the key are found by brute force search.

The complexity of the attack (in the on line stage) is ca.

219 evaluatioins of the investigated, reduced algorithm. It is smaller than the complexity 255 in the previous attacks on this version of Trivium.

(35)

Cube attack

Thank you

References

Download now ( PDF - 35 Page - 756.20 KB )

Related documents